User Guide
Release Notes

Remediation Templates

Create and manage access remediation instructions for custom applications.

Custom templates for Access Remediation are provided as an Early Access feature. Please contact your Veza customer success team for more details, and to enable this option.

Overview

Custom instructions contain one or more possible solutions and steps to remove access for Apps and Identity Providers added using Open Authorization API connectors. A template will be applied (provided as possible remediation steps) when all conditions are true:

  1. Access removal is requested for a node of source_node_type

  2. The destination node type for the changed access is destination_node_type

  3. property_matchers all match:

    • matched_node_type determines whether to match a named property of the source or destination node (0 or 1)

    • matched_property_name is the name of the property to match

    • matched_property_value is the exact value to match.

Depending the order templates are created, more than one template might match a pair of (source, destination) nodes. In such a scenario, only the first matching template (in the order returned from "List" API) will apply.

Methods

OperationMethodSyntax

Create Recipe Instruction Template

POST

/api/private/recipes:instruction_template

List Recipe Instruction Templates

GET

/api/private/recipes:instruction_template

Delete Recipe Instruction Template

DELETE

/api/private/recipes:instruction_template/{id}

Instruction template properties

KeyTypeDescription

id

string

Instruction template ID

template_steps

array

Instructions for access remediation

source_node_type

string

Template applies when result source is an entity of this type (such as "CustomUser" or "CustomGroup")

destination_node_type

string

Template applies when destination is an entity of this type (such as "CustomApplication" or "CustomRole")

property_matchers

array

Defines the matching source or destination node properties the template applies for

Example:

{
  "template": {
    "template_steps": [
      "Option: Remove user from group",
      "Option: Remove user from application"
    ],
    "source_node_type": "CustomUser",
    "destination_node_type": "CustomGroup",
    "property_matchers": [
      {
        "matched_node_type": 0,
        "matched_property_name": "provider_name",
        "matched_property_value": "Auth0-dev"
      }
    ]
  }
}

Template steps

Remediation Proposals enable users to request changes to authorization when reviewing certifications. Since the exact steps to alter permissions, such as removing users or changing groups, can vary from application to application, you can use template steps to add customized directions for:

  • Access removal for pairs of entity types (source, destination)

  • Instructions based on properties on the source or destination node (such as a unique "provider_name".)

Instructions are specified in template_steps. They will be shown when remediation is requested for users with authorization paths containing a matching source and destination entity type.

You can provide more than one set of steps in the template_steps. Responders can pick any of the steps to complete the task:

"template_steps":[
  "GUI: Open Roles -> Select Role -> Manage Assignments",
  "Console: `REVOKE ROLE <name> FROM USER {{source.name}}`"]

  • Templates only apply when a property on either the source or destination node matches a specific value. This enables separate instruction sets for apps of similar entity types.

  • If there are multiple possible solutions, specify them as a comma-separated list (["Option A", "Option B"]). Multi-step instructions should be specific ["1: ... 2: ... 3: ... "].

  • Templates can use placeholders to reference any value on a source or destination node, such as user provider_name.

Placeholders

Two placeholders can be used in template_steps strings, and will be replaced using graph metadata when the remediation request is created:

  • When viewing instructions, placeholders in the format of {{<node>.<property_name>}} are replaced with a source or destination node property value.

    • <node> must be "source" or "destination"

    • <property_name> can be any property of the node. Non-string values are formatted with fmt.Sprinf("%v", value) for safety.

When the recipe is created, the instruction steps will be saved and won’t change, even if the graph properties change later. Placeholders can reference any source or destination node property, regardless of the property_matchers applied.

Property Matchers

Instructions will only apply when either the source or destination node has a matching property, such as provider_name. This is used to differentiate between multiple custom app integrations (multiple custom Identity Providers or OAA connectors).

keytypedescription

matched_node_type

int

Whether to match a property of the source 0 (default) or destination 1 node

matched_property_name

string

Property to match (for example "provider_name")

matched_property_value

string

Exact value to match (for example "Custom Identity Provider"

Note that only string values are supported.

Examples

End-to-end example

After setting custom instructions:

{
  "template": {
    "template_steps": [
      "template line 1: {{source.id}}",
      "template line 2: {{destination.id}}"
    ],
    "source_node_type": "CustomUser",
    "destination_node_type": "CustomGroup",
    "property_matchers": [
      {
        "matched_node_type": 0,
        "matched_property_name": "provider_name",
        "matched_property_value": "SOME_PROVIDER"
      }
    ]
  }
}

When creating remediation requests for certification results that meet the conditions: "source_node_type":"CustomUser" AND "destination_node_type":"CustomGroup", AND the source node has property "provider_name":"SOME_PROVIDER",

The instruction steps will be:

"template line 1: custom_provider:application:some_provider:user:username",
"template line 2: custom_provider:application:some_provider:group:groupname"

Where “custom_provider:application:some_provider:user:username” and “custom_provider:application:some_provider:group:groupname” are ids of the user and group for access removal.

Multiple possible solutions)

{
  "template": {
    "template_steps": [
      "Remove user {{source.name}}(id:{{source.id}}) from Group {{destination.name}} in {{source.provider_name}};",
      "Remove user {{source.name}}(id:{{source.id}}) from Application  {{source.provider_name}}"
    ],
    "source_node_type": "CustomUser",
    "destination_node_type": "CustomGroup",
    "property_matchers": [
      {
        "matched_node_type": 0,
        "matched_property_name": "provider_name",
        "matched_property_value": "CustomIdP"
      }
    ]
  }
}

Instructions choice #1

1. Remove user cxu(id:xxx) from Group Engineering in CustomIdP;

Instructions choice #2:

2. Remove user cxu(id:xxx) from Application CustomIdP.

Multi-step instructions

{
  "template": {
    "template_steps": [
      "Remove user {{source.name}} from application {{source.provider_name}} with the following 2 steps: 1) Remove user {{source.name}} from Group {{destination.name}} in {{source.provider_name}}; 2) Remove user {{source.name}}(id:{{source.id}}) from Application  {{source.provider_name}}"
    ],
    "source_node_type": "CustomUser",
    "destination_node_type": "CustomGroup",
    "property_matchers": [
      {
        "matched_node_type": 0,
        "matched_property_name": "provider_name",
        "matched_property_value": "CustomIdP"
      }
    ]
  }
}
Remove user cxu from application CustomIdP with the following 2 steps: 1) Remove user cxu from Group Engineering in CustomIdP; 2) Remove user cxu from Application CustomIdP.
PreviousNotification Templates APINextRelease Notes

Last updated